Republic of Korea: Issued ruling in Personal Information Protection Commission investigation into Golfzon over violation of personal information protection laws

On 8 May 2024, the Personal Information Protection Commission (PIPC) of the Republic of Korea issued a ruling in the investigation into Golfzon Co., Ltd (Golfzon). The PIPC concluded that Golfzon violated personal information protection laws and imposed a fine of KRW 7.54 billion, around USD 5.5 million and an additional punitive fee of KRW 5.4 million, around USD 4’000. The investigation concerned a ransomware attack on Golfzon in November 2023, which led to the theft and subsequent dark web release of personal data of over 2.21 million users and employees, including sensitive information such as resident registration and bank account numbers. The investigation found vulnerabilities in Golfzon's data protection measures, including inadequate security for a file server containing vast amounts of personal data, failure to encrypt resident registration numbers and neglect to destroy unnecessary personal information. In response, the PIPC has issued corrective orders demanding the establishment of an internal management plan, compliance with safety measures, enhancement of the personal information protection officer's role, and regular data protection training for employees.